Anthony PERARD
4f23a54b52
xen: Allow xenstored to map /proc/xen/xsd_kva
...
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
2020-11-05 06:55:17 -05:00
Chris PeBenito
14a45a594b
devices, filesystem, systemd, ntp: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:45:11 -04:00
Chris PeBenito
785677771d
Merge pull request #313 from bootlin/buildroot-systemd-fixes
2020-10-09 09:42:40 -04:00
Chris PeBenito
b5525a3fca
systemd: Move systemd-pstore block up in alphabetical order.
...
No rule change.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:42:31 -04:00
Antoine Tenart
e9228b49bb
systemd: allow systemd-network to list the runtime directory
...
Fixes:
avc: denied { read } for pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
avc: denied { read } for pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-10-09 08:58:31 +02:00
Antoine Tenart
49a0771dd3
systemd: allow systemd-getty-generator to read and write unallocated ttys
...
Fixes:
avc: denied { read write } for pid=40 comm="systemd-getty-g"
name="ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
avc: denied { open } for pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
avc: denied { ioctl } for pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-10-09 08:58:31 +02:00
Deepak Rawat
f5c8a117d9
Add selinux-policy for systemd-pstore service
...
systemd-pstore is a service to archive contents of pstore.
Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>
2020-10-09 03:20:09 +00:00
Chris PeBenito
39e2af539d
corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-09-22 08:27:05 -04:00
Chris PeBenito
941620c89c
Merge pull request #309 from yizhao1/dhcpcd
2020-09-22 08:23:49 -04:00
Antoine Tenart
fdda7befa5
systemd: allow systemd-resolve to read in tmpfs
...
Fixes:
avc: denied { read } for pid=76 comm="systemd-resolve" name="/"
dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:25:09 +02:00
Antoine Tenart
34547434b8
systemd: allow systemd-network to get attributes of fs
...
Fixes:
avc: denied { getattr } for pid=57 comm="systemd-network" name="/"
dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:25:09 +02:00
Antoine Tenart
1ee738f708
systemd: allow systemd-hwdb to search init runtime directories
...
Fixes:
avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1
avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:15:37 +02:00
Antoine Tenart
f71d288e54
systemd: add extra systemd_generator_t rules
...
Fixes:
avc: denied { setfscreate } for pid=41 comm="systemd-getty-g"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=process
permissive=1
avc: denied { dac_override } for pid=40 comm="systemd-fstab-g"
capability=1 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=capability
permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:15:37 +02:00
Yi Zhao
25251b1f3b
sysnet: allow dhcpcd to create socket file
...
The dhcpcd needs to create socket file under /run/dhcpcd directory.
Fixes:
AVC avc: denied { create } for pid=331 comm="dhcpcd" name="eth0.sock"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0
AVC avc: denied { setattr } for pid=331 comm="dhcpcd"
name="eth0.sock" dev="tmpfs" ino=19153
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0
AVC avc: denied { sendto } for pid=331 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_dgram_socket permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-09-21 14:23:09 +08:00
Antoine Tenart
23f1e4316b
sysnetwork: allow to read network configuration files
...
Fixes:
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { read } for pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { read } for pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { open } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { open } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { getattr } for pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { read } for pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { open } for pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { search } for pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Antoine Tenart
5c604e806b
logging: allow systemd-journal to write messages to the audit socket
...
Fixes:
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Antoine Tenart
8cb806fbdf
locallogin: allow login to get attributes of procfs
...
Fixes:
avc: denied { getattr } for pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Antoine Tenart
7014af08ff
udev: allow udevadm to retrieve xattrs
...
Fixes:
avc: denied { getattr } for pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
avc: denied { getattr } for pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
Chris PeBenito
c33866e1f6
selinux, init, systemd, rpm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-09-09 16:55:06 -04:00
Christian Göttsche
24827d8073
selinux: add selinux_use_status_page and deprecate selinux_map_security_files
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-09-09 21:00:47 +02:00
Christian Göttsche
1103350ee3
init/systemd: allow systemd to map the SELinux status page
...
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.
see https://github.com/systemd/systemd/pull/16821
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-09-08 13:18:18 +02:00
Chris PeBenito
dcf7ae9f48
userdomain: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-31 15:36:14 -04:00
Jonathan Davies
9d3321e4fe
userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded.
...
Thanks to Dominick Grift for helping me pin-point this.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2020-08-29 20:43:38 +00:00
Chris PeBenito
72e221fd4d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-28 15:30:52 -04:00
Chris PeBenito
cc15ff2086
Merge pull request #302 from dsugar100/master
2020-08-28 15:26:50 -04:00
Chris PeBenito
74b37e16db
Merge pull request #301 from bauen1/fix-selint-s-010
2020-08-28 15:26:47 -04:00
bauen1
fa59d0e9bc
selint: fix S-010
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-08-28 17:39:09 +02:00
Dave Sugar
1627ab361e
Looks like this got dropped in pull request #294
...
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc: denied { map } for pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2020-08-27 08:10:58 -04:00
Chris PeBenito
d387e79989
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-18 09:09:10 -04:00
Chris PeBenito
ab47695bdb
files, init, modutils, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-14 09:38:09 -04:00
Chris PeBenito
e10d956f38
Merge pull request #294 from cgzones/selint
2020-08-14 09:36:44 -04:00
Yi Zhao
8322f0e0d9
Remove duplicated rules
...
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-08-14 10:55:31 +08:00
Christian Göttsche
09ed84b632
files/modutils: unify modules_object_t usage into files module
...
modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
Christian Göttsche
e9b2e1ea4f
work on SELint issues
...
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
Chris PeBenito
fbc60f2319
Merge pull request #296 from cgzones/diff-check
...
whitespace cleanup
2020-08-13 09:19:48 -04:00
Christian Göttsche
72b2c66256
whitespace cleanup
...
Remove trailing white spaces and mixed up indents
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:34:57 +02:00
Christian Göttsche
3bb507efa6
Fix several misspellings
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:08:58 +02:00
Chris PeBenito
71e653980b
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-11 08:35:00 -04:00
Chris PeBenito
cd141fa2ea
Merge pull request #290 from pebenito/fs-image
2020-08-11 08:33:26 -04:00
Chris PeBenito
32b2332d36
Merge pull request #289 from pebenito/remove-unlabeled-file
2020-08-11 08:33:22 -04:00
Chris PeBenito
777fe47c19
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-29 14:33:39 -04:00
Chris PeBenito
fe737c405d
selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-28 10:33:07 -04:00
Chris PeBenito
4c7926a3c0
init: Revise init_startstop_service() build option blocks.
...
Revise to use ifelse to have a clear set of criteria for enabling the
various options. Additionally, if no options are enabled, run_init
permissions are provided as a default.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-27 11:40:36 -04:00
Chris PeBenito
613708cad6
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00
Chris PeBenito
0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
Chris PeBenito
be04bb3e7e
Rename "pid" interfaces to "runtime" interfaces.
...
Rename interfaces to bring consistency with previous pid->runtime type
renaming. See PR #106 or 69a403cd
original type renaming.
Interfaces that are still in use were renamed with a compatibility
interface. Unused interfaces were fully deprecated for removal.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 14:33:17 -04:00
Chris PeBenito
c63e5410a9
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 08:48:41 -04:00
Chris PeBenito
c2a142d762
systemd: Merge generator domains.
...
If these processes are compromised they can write units to do malicious
actions, so trying to tightly protect the resources for each generator
is not effective.
Made the fstools_exec() optional, although it is unlikely that a system
would not have the module.
Only aliases for removed types in previous releases are added. The
systemd_unit_generator() interface and systemd_generator_type attribute
were not released and are dropped without deprecation.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 09:47:20 -04:00
Chris PeBenito
71002cdfe0
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 08:57:44 -04:00
Chris PeBenito
91087f8ff1
Merge pull request #274 from bauen1/remove-dead-weight
2020-06-15 08:56:42 -04:00